From 163a1f4d42e2431952c2d9f5bc54237e70e0dbeb Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 3 May 2018 09:09:19 -0300
Subject: [PATCH] Bug 20701: Add csrf protection to mancredit.pl

Works OK.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit fb083c95a2582904d633b84e4eddabce08baf99c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 .../prog/en/modules/members/mancredit.tt            |  1 +
 members/mancredit.pl                                | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt
index 65a61a59ea..0f7ffc78ba 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt
@@ -36,6 +36,7 @@ $(document).ready(function(){
 
 <form action="/cgi-bin/koha/members/mancredit.pl" method="post" id="mancredit">
 <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber %]" />
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
 
 <fieldset class="rows">
 <legend>Manual credit</legend><ol>
diff --git a/members/mancredit.pl b/members/mancredit.pl
index a26000dc30..94c308e93a 100755
--- a/members/mancredit.pl
+++ b/members/mancredit.pl
@@ -36,6 +36,7 @@ use C4::Members::Attributes qw(GetBorrowerAttributes);
 use Koha::Patron::Images;
 
 use Koha::Patron::Categories;
+use Koha::Token;
 
 my $input=new CGI;
 my $flagsrequired = { borrowers => 1, updatecharges => 1 };
@@ -48,6 +49,15 @@ my $add=$input->param('add');
 
 if ($add){
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => $input->cookie('CGISESSID'),
+                token  => scalar $input->param('csrf_token'),
+            });
+
+        # Note: If the logged in user is not allowed to see this patron an invoice can be forced
+        # Here we are trusting librarians not to hack the system
         my $barcode = $input->param('barcode');
         my $itemnum;
         if ($barcode) {
@@ -99,6 +109,9 @@ if ($add){
         borrowernumber => $borrowernumber,
         categoryname   => $data->{'description'},
         is_child       => ($data->{'category_type'} eq 'C'),
+        csrf_token => Koha::Token->new->generate_csrf(
+            { session_id => scalar $input->cookie('CGISESSID') }
+        ),
         );
     output_html_with_http_headers $input, $cookie, $template->output;
 }
-- 
2.39.5